Changes

Line 3: Line 3:  
===Website Security===
 
===Website Security===
 
To protect GC electronic networks, devices and information, the following is a non-exhaustive list of security considerations that can be implemented in a layered manner to support a defence-in-depth approach for web services and minimize opportunities for cyber attacks:
 
To protect GC electronic networks, devices and information, the following is a non-exhaustive list of security considerations that can be implemented in a layered manner to support a defence-in-depth approach for web services and minimize opportunities for cyber attacks:
 
+
<br>
 
* Deploy modern operating systems (OS) and applications that are maintained with supported, up-to-date, and tested versions of software.
 
* Deploy modern operating systems (OS) and applications that are maintained with supported, up-to-date, and tested versions of software.
 
* Actively manage software vulnerabilities, including fixing known vulnerabilities quickly following a timely patch maintenance policy for OS and applications, and taking other mitigating steps, where patches can’t be applied.
 
* Actively manage software vulnerabilities, including fixing known vulnerabilities quickly following a timely patch maintenance policy for OS and applications, and taking other mitigating steps, where patches can’t be applied.
Line 12: Line 12:  
* Use strong authentication mechanisms (for example, multi-factor authentication) where possible to protect from unauthorized access.
 
* Use strong authentication mechanisms (for example, multi-factor authentication) where possible to protect from unauthorized access.
 
* Design web services so that they are protected from common security vulnerabilities such as SQL injection and others described in widely-used publications such as the [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Open Web Application Security * Project (OWASP) Top 10].
 
* Design web services so that they are protected from common security vulnerabilities such as SQL injection and others described in widely-used publications such as the [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Open Web Application Security * Project (OWASP) Top 10].
 
+
<br>
 
For more information on best practices, refer to [https://www.cse-cst.gc.ca/en/group-groupe/its-advice-and-guidance Communications Security Establishment’s (CSE’s) IT security advice and guidance].
 
For more information on best practices, refer to [https://www.cse-cst.gc.ca/en/group-groupe/its-advice-and-guidance Communications Security Establishment’s (CSE’s) IT security advice and guidance].
 
<br><br>
 
<br><br>
 
'''Additional Guidance:''' [https://www.us-cert.gov/ncas/tips/ST18-006 Website Security | US-CERT]
 
'''Additional Guidance:''' [https://www.us-cert.gov/ncas/tips/ST18-006 Website Security | US-CERT]
 +
<br><br>
    
===HTTP/2===
 
===HTTP/2===
263

edits